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Introduction 

The  advent  of  the  information  age  forced  many  nations  to  reexamine  their  security  procedures. 
As  a  result  of  the  new  and  overwhelming  dependence  of  critical  infrastructure  on  information 
systems,  information  security  is  a  priority  concern  to  governments  everywhere.  However,  not 
every  nation  has  interpreted  this  concern  in  the  same  fashion,  nor  at  the  same  pace. 

Russia,  for  example,  is  ahead  of  everyone.  It  has  produced  an  Information  Security  Doctrine  that 
includes  the  security  of  the  state,  society  and  the  individual  in  its  evaluation  of  information 
security  threats.  This  paradigm  allows  Russian  security  managers  to  consider  information  threats 
to  citizens  (their  cultural,  spiritual  and  psychological  well-being)  as  well  as  to  critical 
technologies  and  resources.  Perhaps  for  this  reason  Russia’s  military  doctrine  lists  external 
threats  as  information-psychological  and  information-technical  issues.  China  has  also  been 
affected  by  the  information  age.  It  is  concerned  with  influential  technologies  that  might  be  used 
as  a  form  of  virtual  deception  or  influence.  The  Internet  is  the  focus  of  most  of  China’s  concern, 
most  likely  because  it  offers  information  that  the  Chinese  government  cannot  control  completely 
at  this  time.  At  the  same  time,  China  has  an  information  technology  security  plan  known  as  Plan 
863,  and  established  a  Ministry  of  Information.  China  has  not  produced  an  information  security 
doctrine  or  related  document  of  which  the  author  is  aware.  The  U.S.,  while  considering 
psychological  operations  as  a  key  sub-element  of  information  operations,  relegates  less  attention 
to  the  information  threat  to  the  minds  of  its  citizens.  Rather,  U.S.  legislation  and  rights/acts 
(human  rights,  freedom  of  the  press,  speech,  etc.)  provide  cover  for  its  citizens  in  this  field.  The 
U.S.  focuses  on  critical  infrastructure  protection  instead  of  technologies  and  resources  as  the 


Russians.  The  U.S.  seldom  uses  the  term  “information  security”  when  discussing  cyber-based 
threats  in  official  documents. 

A  brief  look  at  how  these  three  nations  define  information  security  supports  this  broad  overview. 
The  U.S.  published  two  Presidential  Decision  Directives  (PDDs)  to  counter  information  age 
threats  to  U.S.  systems  and  its  population,  PDD-63  and  PDD-68.  PDD-63  focuses  on  critical 
infrastructure  protection.  The  22  May  1998  PDD-63  White  Paper  describes  the  growing 
vulnerability  to  U.S.  cyber-based  systems,  and  establishes  a  series  of  steps  to  counter  this 
vulnerability.  These  steps  are  to  be  in  place  by  2003,  and  include  the  analysis  of  foreign 
cyber/information  warfare  threats.  The  directive  mentions  the  term  information  security  only 
twice,  and  then  only  in  regard  to  public  outreach  programs. JJQ  PDD-68  coordinates  U.S.  efforts 
to  promulgate  its  policies  and  counteract  bad  press  abroad.  This  directive  created  the 
International  Public  Information  (IPI)  group  to  coordinate  the  identification  of  hostile  foreign 
propaganda  and  deception  techniques  that  target  the  U.S.,  according  to  the  group’s  charter. [21 
The  focus  is  hostile  information  programs  that  might  not  be  truthful.  The  directive  does  not 
characterize  its  actions  as  information  security  related.  To  find  a  U.S.  definition  of  information 
security,  one  must  turn  to  the  military.  Joint  Publication  3-13,  Joint  Doctrine  for  Information 
Operations,  defines  information  security  as  “the  protection  and  defense  of  information  and 
information  systems  against  unauthorized  access  or  modification  of  information,  whether  in 
storage,  processing,  or  transit,  and  against  denial  of  service  to  authorized  users.  Information 
security  includes  those  measures  necessary  to  detect,  document,  and  counter  such  threats. 
Information  security  is  composed  of  computer  security  and  communications  security.  Also  called 
INFOSEC.”[3] 

Russia  has  a  number  of  definitions  for  information  security,  perhaps  because  they  have  thought 
more  about  this  subject  than  other  nations  due  to  their  loss  of  ideology  when  the  Soviet  Union 
dissolved  in  1991.  Russia's  September  2000  Information  Security  Doctrine  defines  information 
security  as  "the  state  of  protection  of  its  national  interests  in  the  information  sphere  defined  by 
the  totality  of  balanced  interests  of  the  individual,  society,  and  the  state."  Just  a  few  months 
earlier,  in  a  May  2000  United  Nations  resolution,  Russia  defined  information  security  somewhat 
differently  as  the  "protection  of  the  basic  interests  of  the  individual,  society  and  the  state  in  the 
information  sphere,  including  the  information  and  telecommunications  infrastructure  and 
information  per  se  with  respect  to  its  characteristics,  such  as  integrity,  objectivity,  availability, 
and  confidentiality."  The  Russian  Academy  of  Natural  Sciences  defined  the  tenn  as  “the 
protection  of  the  information  medium  of  the  individual,  society  and  the  state  from  deliberate  and 
accidental  threats  and  effects. ”[4]  Information  security,  yet  another  source  adds,  is  connected 
with  information  and  its  material  carriers:  the  mind  of  a  person  and  other  carriers  of  information 
(books,  disks,  and  other  forms  of  “memory”). [5]  Thus,  differently  than  the  U.S.,  Russia  views 
both  the  mind  and  information  systems  as  integral  parts  of  its  concept  of  information  security. 

Chinese  academician  Shen  Changxiang,  of  the  Chinese  Academy  of  Engineering,  defined 
information  security  in  the  People’s  Liberation  Army’s  (PLA)  newspaper  of  the  General  Political 
Department  (the  PLA  Daily):  “[information  security]  refers  to  the  prevention  of  any  leakage  of 
information  when  it  is  generated,  transmitted,  used,  and  stored  so  that  its  usefulness,  secrecy, 
integrity,  and  authenticity  can  be  preserved;  and  so  that  the  reliability  and  controllability  of  the 
information  system  can  be  ensured.”[61  State  Council  member  Shen  Weiguang  notes  that 


information  warfare  (IW)  is  brain  warfare.  According  to  official  Chinese  sources,  the  Internet 
has  the  capability  to  manipulate  information,  the  truth,  and  the  moral-psychological  state  of 
Chinese  citizens.  China  realizes  that  the  Internet  cannot  be  controlled,  and  is  thus  a  concern  to 
the  government.  Thus  China  appears  more  like  Russia  than  the  U.S.  in  its  understanding  of 
information  security,  with  its  emphasis  on  the  mental  aspect  of  information  security  and  its 
extended  use  of  the  term  itself. 

This  paper  briefly  examines  the  information  security  policies  of  the  three  countries  noted.  There 
are  both  narrow  and  broad  approaches  to  the  subject,  and  situational  context,  culture,  and  history 
are  the  real  forces  that  differentiate  national  approaches.  An  understanding  of  each  country’s 
concerns  and  their  paradigm  for  interpreting  information  security  can  potentially  alleviate 
misunderstanding  in  future  international  discussions  among  nations  over  this  concept. 

U.S.  Views  on  Information  Security 

With  regard  to  information  technology  and  critical  infrastructure  protection,  PDD-63 
demonstrated  that  the  U.S.  is  very  interested  in  establishing  an  “infrastructure  to  protect  the 
infrastructure.”  The  document  builds  on  the  recommendations  from  the  October  1997  President’s 
Commission  on  Critical  Infrastructure  Protection.  PDD-63  opens  by  describing  the  growing 
potential  vulnerability  to  America’s  cyber  infrastructure,  and  then  states  the  President’s  intent, 
the  national  goal,  and  the  public-private  partnership  to  reduce  these  vulnerabilities.  Next  general 
guidelines  are  issued,  and  then  a  structure  and  organization  to  meet  the  challenge  are  introduced 
(which  included  lead  agencies  for  sector  liaison,  lead  agencies  for  special  functions,  interagency 
coordination,  and  the  appointment  of  a  National  Infrastructure  Assurance  Council).  Tasks 
included: 

•  Vulnerability  analysis 

•  Remedial  plan 

•  Warning 

•  Response 

•  Reconstitution 

•  Education  and  awareness 

•  Research  and  development 

•  Intelligence 

•  International  cooperation 

•  ;  Legislative  and  budgetary  requirements [7] 

A  National  Coordinator  for  Security,  Infrastructure  Protection,  and  Counter-Terrorism  is 
responsible  for  coordinating  the  implementation  of  the  directive.  This  person  will  also  chair  the 
Critical  Infrastructure  Coordination  Group  (CICG).  Further,  the  President  authorized  the  FBI  to 
create  a  National  Infrastructure  Protection  Center  (NIPC).  This  organization  shall  serve  as  a 
national  critical  infrastructure  threat  assessment,  warning,  vulnerability,  and  law  enforcement 
investigation  and  response  entity.  Finally,  the  national  coordinator  will  encourage  the  creation  of 
a  private  sector  information  sharing  and  analysis  center  (ISAC).  The  center  would  be  the 
mechanism  for  gathering,  analyzing,  appropriately  sanitizing  and  disseminating  private  sector 
information  to  both  industry  and  the  NIPC,  and  could  transmit  NIPC  information  the  other 


way.[8]  However,  throughout  the  PDD-63  White  Paper,  only  twice  (and  not  in  the  main  section) 
is  the  term  “information  security”  used. 

U.S.  civilian  agencies  seldom  use  the  term  “information  security.”  For  example,  in  a  computer 
search  of  Congressional  committees  and  bills  produced  by  the  107th  Congress,  there  are  four  hits 
for  the  term  “information  security”:  the  Computer  Security  Enhancement  Act  of  2001;  the  FBI 
Reform  Commission  Act  of  2001;  the  E-Government  Act  of  2001;  and  the  bill  “To  revise, 
codify,  and  enact  without  substantive  change  certain  general  and  permanent  laws,  related  to 
public  buildings,  property,  and  works,  as  title  40,  United  States  Code,  ‘Public...”.  None  of  these 
address  psychological  security  or  manipulating  the  emotions  or  logic  of  individuals  via 
information.  Searches  for  the  terms  information-psychological  security,  and  psychological 
security  in  the  50  bills  of  the  107th  Congress  resulted  in  zero  hits. 

Again,  one  has  to  turn  to  the  military  to  find  the  use  of  the  term  “information  security.”  The  U.S. 
General  Accounting  Office  report  of  March  2001  (GAO-0 1-341)  is  titled  “Information  Security: 
Challenges  to  Improving  DOD’s  Incident  Response  Capabilities.”  The  contents  of  this  document 
demonstrate  that,  to  the  authors  of  this  report  anyway,  information  security  is  a  computer  and 
information  system  related  problem.  No  reference  is  made  to  the  individual,  just  to  technical 
systems.  The  definition  from  the  Joint  Publication  noted  above  emphasized  the  computer 
security  and  communications  security  aspects  of  information  security. 

PDD-68,  mentioned  above,  discusses  the  requirement  to  identify  hostile  propaganda  and 
deception  targeted  against  the  U.S..  However,  PDD-68  apparently  does  not  address  information 
security.  The  actual  document  has  still  not  been  released.  Even  though  the  U.S.  does  not  mention 
information  security  in  terms  of  mental  activity,  other  western  nations  do.  Sweden,  for  example, 
has  a  psychological  defense  department  that  aims  to  uphold  for  every  Swedish  citizen  a 
constitutional  right  to  correct,  clear  and  complete  information  on  what  is  happening  in  society 
and  in  the  world  at  large,  especially  in  times  of  stress  or  crisis,  or  in  times  of  particular 
importance. [9] 

Most  Americans  realize  that  the  issue  of  the  influence  of  information  on  the  minds  of  Americans 
is  covered  by  different  terminology  than  “information  security.”  Advertising  agencies  are 
forbidden  to  persuade  citizens  using  certain  technology  such  as  the  infamous  “25th  frame  effect” 
demonstrated  in  the  1950s  at  one  theater.  The  mind  reportedly  can  process  24  frames  of  film  a 
second,  and  a  25th  frame  becomes  a  subliminal  message.  The  movie  theater  in  question  sold 
popcorn  and  drinks  by  inserting  this  extra  frame.  This  was  ruled  unconstitutional  and  other 
restrictions  on  media  advertising  are  written  into  U.S.  law  to  protect  human  rights  and  privacy. 
Thus  American  citizens  are  protected  from  “mind  attacks”  by  different  segments  of  legal  code 
using  different  terminology. 

The  U.S.  has  not  had  to  consider  the  human  aspect  of  cyber-based  operations  nor  the  loss  of  an 
ideology  as  some  nations  have  faced.  In  the  affected  countries  consideration  was  given  to  the 
“information-psychological  security”  factor  as  a  result  to  a  much  greater  degree  than  in  the  U.S., 
which  did  not  lose  its  democratic  ideology.  Russia  lost  an  ideology  and  is  working  hard  to  ensure 
that  Russian  culture,  identity,  and  spirit  do  not  also  disappear  along  with  it. 


Russian  Views  on  Information  Security 


The  approved  Russian  Federation’s  information  security  document  represents  the  purposes, 
objectives,  principles,  and  basic  directions  of  Russia’s  information  security  thought.  The 
document  is  divided  into  eleven  sections.  They  are: 

•  National  interests  of  the  Russian  Federation  in  the  information  sphere  (observance  of 
constitutional  and  individual  liberties,  information  backing  for  Russian  Federation  policy, 
development  of  information  technology  and  industry,  and  protecting  infonnation 
resources  from  unsanctioned  access) 

•  Types  of  threats  to  Russia’s  information  security  (to  constitutional  rights  in  spiritual  life, 
to  infonnation  backing  for  state  policy,  to  the  development  of  the  information  industry, 
and  to  the  security  of  infonnation — the  same  as  national  interests! !) 

•  Sources  of  threats  to  Russia’s  information  security  (external  and  internal) 

•  The  state  of  information  security  in  the  Russian  Federation  and  objectives  supporting  it 
(tension  between  the  need  for  the  free  exchange  of  information  and  the  need  to  retain 
individual  regulated  restrictions  on  its  dissemination) 

•  General  methods  of  information  security  of  the  Russian  Federation  (legal,  organizational- 
technical,  economic) 

•  Features  of  information  security  (economics,  domestic  policy,  foreign  policy,  science  and 
technology,  spiritual  life,  information  and  telecommunication  systems,  defense,  law 
enforcement,  and  emergency  situations) 

•  International  cooperation  in  the  field  of  information  security  (banning  infonnation 
weapons,  supporting  infonnation  exchanges,  coordinating  law  enforcement  activities, 
preventing  unsanctioned  access  to  confidential  information) 

•  Provisions  of  state  policy  of  information  security  (guidelines  for  federal  institutions  of 
state  power  and  institutions,  based  on  a  balance  of  interests  of  the  individual,  society,  and 
the  state  in  the  information  sphere) 

•  Priority  measures  in  implementing  information  security  (mechanisms  to  implement  the 
rule  of  law,  an  increase  in  the  efficiency  of  state  leadership,  programs  providing  access  to 
archives  of  information  resources,  a  system  of  training,  and  hannonizing  standards  in  the 
field  of  computerization  and  information  security) 

•  Functions  of  the  system  of  information  security  (summary  of  above  points,  17  in  all) 

•  Elements  of  the  organizational  basis  of  Russia’s  information  security  system  (President, 
Federation  Council  of  the  Federal  Assembly,  the  State  Duma  of  the  Federal  Assembly, 
the  government  of  the  Russian  Federation,  the  Security  Council,  and  other  federal 
executive  authorities,  presidential  commissions,  judiciary  institutions,  public 
associations,  and  citizens). 

The  security  doctrine's  sections  are  further  subdivided  into  three  or  four  recognizable  areas.  First, 
there  are  some  general  principles  associated  with  the  section.  Then  the  external  and  internal 
threats  to  that  section's  principles  are  listed,  and  this  is  followed  by  a  list  of  measures  to  be  taken 
to  offset  these  threats.  A  look  at  the  section  on  "subjects  of  the  information  security  of  the 
Russian  Federation  in  the  sphere  of  defense"  follows  to  examine  this  methodology. 


There  are  four  general  subject  areas  listed  under  this  section.  These  are  the  information 
infrastructure  of  the  central  elements  (the  branches  of  the  anned  forces  and  scientific  research 
institutions  of  the  Ministry  of  Defense)  of  military  command  and  control;  the  information 
resources  of  defense  complex  enterprises  and  research  institutions;  software  and  hardware  of 
automated  command  and  control  systems;  and  information  resources,  communication  systems, 
and  the  information  infrastructure  of  other  forces  and  military  components  and  elements. 

External  threats  to  the  Defense  Ministry  make  up  the  next  section.  They  include  the  intelligence 
activities  of  foreign  states;  information  and  technical  pressure  (electronic  warfare,  computer 
network  penetration,  etc.)  by  probable  enemies;  sabotage  and  subversive  activities  by  the 
security  services  of  foreign  states  using  information  and  psychological  pressure;  and  the  activity 
of  foreign  political,  economic,  and  military  entities  directed  against  the  defense  interests  of  the 
Russian  Federation.  Internal  threats  include  the  violation  of  established  procedures  for  collecting, 
processing,  storing,  and  transmitting  infonnation  within  MoD;  premeditated  actions  and  personal 
mistakes  with  special  information  and  telecommunications  systems,  or  with  the  latter's  unreliable 
operation;  information  and  propaganda  activities  that  undennine  armed  forces  prestige; 
unresolved  questions  about  protecting  intellectual  property  of  enterprises;  and  unresolved 
questions  regarding  social  protection  of  servicemen  and  their  families. 

The  final  section  of  the  defense  discussion  outlines  the  main  ways  to  improve  the  system  of 
information  security  for  the  armed  forces  including  the  systematic  detection  of  threats  and  their 
sources;  structuring  the  goals  and  objectives  of  information  security;  certifying  general  and 
special  software  and  information-protection  facilities  in  automated  military  control  and 
communications  systems;  the  improvement  of  facilities  and  software  designed  to  protect 
information;  improvement  in  the  “structure  of  functional  arms”  in  the  system  of  information 
security;  training  of  specialists  in  the  field  of  infonnation  security;  and,  most  important  in  light 
of  the  Russian  military  doctrine's  views  on  information  security,  the  refinement  of  the  modes  and 
methods  of  strategic  and  operational  concealment,  reconnaissance,  and  electronic  warfare,  and 
the  methods  and  means  of  active  countenneasures  against  the  infonnation  and  propaganda  and 
psychological  operations  of  a  probably  enemy. 

Interestingly,  this  discussion  of  the  information  security  dimension  of  the  defense  sphere  varies 
from  the  military  doctrine  of  the  Russian  Federation.  The  latter  states  quite  specifically  that 
information-psychological  and  infonnation-technical  matters  are  the  two  external  threats  to 
Russia,  and  disruptive  plans  or  technologies  are  the  greatest  internal  threats.  That  these  two 
important  tenns  are  not  used  in  the  information  security  doctrine  is  probably  due  to  the  fact  that 
military  people  advised  but  did  not  write  it.  However,  the  two  sections  on  the  spiritual  and 
cultural  sphere,  and  the  section  on  the  scientific  research  sphere  cover  the  military's  information- 
psychological  and  information-technical  concerns  from  the  military  doctrine.  While  not  citing 
information-psychological  activities  directly,  several  sections  imply  this  is  a  concern.  For 
example,  under  constitutional  rights,  it  notes  that  a  threat  is  the  unlawful  use  of  special 
techniques  influencing  the  individual,  group,  and  social  consciousness,  as  well  as  the 
disorganization  of  the  system  of  cultural  values.  Under  foreign  policy  concerns,  an  internal  threat 
is  the  propaganda  activities  of  political  forces,  public  associations,  the  news  media,  and 
individuals  who  distort  the  strategy  and  tactics  of  the  foreign  policy  of  the  Russian  Federation. 
An  important  spiritual  concern  is  the  prevention  of  unlawful  information  and  psychological 


influences  on  the  mass  consciousness  of  society  and  the  uncontrolled  commercialization  of 
culture  and  sciences.  Thus,  information  security  in  Russian  is  focused  on  both  the  mind  and  on 
technical  systems.  The  impression  is  that  internal  threats  are  more  real  and  consequential  than 
external  threats. 

The  information  security  doctrine  uses  the  term  "information-protection"  quite  often,  and  this 
tenn  is  the  one  item  that  the  state  could  put  on  a  par  with  the  military's  information- 
psychological  and  information-technical  issues.  Another  area  of  obvious  emphasis  is  the 
formation  of  a  legal  base  for  information  security.  The  laws  on  "State  Secrecy,"  "Information, 
Computerization,  and  Information  Protection,"  "Participation  in  International  Infonnation 
exchange,"  and  "Essentials  of  Legislation  of  the  Russian  Federation  on  the  Archive  Collection  of 
the  Russian  Federation  and  Archives"  are  specifically  mentioned.  Legal  issues  are  one  of  three 
methods  of  information  security  mentioned  in  the  doctrine,  with  organizational-technical  and 
economic  the  other  two.  The  threat  of  information  weapons  to  Russia's  information  infrastructure 
and  the  threat  of  foreign  governments  using  information  warfare  techniques  against  Russia  were 
also  mentioned.  Special  concern  focused  on  the  inadequate  development  of  telecommunication 
systems,  the  integrity  of  information  resources,  space-based  reconnaissance,  and  electronic- 
warfare  facilities. 

On  an  international  level,  the  doctrine  is  designed  to  do  several  things.  These  include: 

•  Banning  the  development,  proliferation,  and  use  of  information  weapons 

•  Supporting  the  security  of  international  infonnation  exchanges,  including  the  integrity  of 
information  during  its  transmission  by  national  telecommunication  channels 

•  Coordinating  the  activities  of  these  law  enforcement  agencies  of  countries  that  are  part  of 
the  world  community  to  prevent  computer  crime 

•  Preventing  unsanctioned  access  to  confidential  information  in  international  banking 
telecommunication  networks  and  world  trade  information-support  systems  as  well  as 
information  of  international  law-enforcement  organizations  fighting  transnational 
organized  crime,  international  terrorism,  illicit  trade  in  arms  and  fissionable  materials, 
and  in  the  distribution  of  narcotics  and  mind-altering  substances,  and  the  trade  of  human 
beings. 

Near  its  end  the  doctrine  notes  that  the  "implementation  of  the  guarantees  of  the  constitutional 
rights  and  liberties  of  man  and  citizen  concerning  activity  in  the  information  sphere  is  the  most 
important  objective  of  the  state  in  the  field  of  information  security."  While  this  sounds  pleasant 
enough,  Russian  citizens  are  concerned  over  the  interpretation  of  this  notion.  Some  citizens  fear 
the  fact  the  government  was  concerned  about  two  issues:  conveying  RELIABLE  information  to 
the  Russian  and  international  community,  and  NOT  ALLOWING  propaganda  that  promoted  the 
incitement  of  social,  racial,  national,  or  religious  hatred  and  animosity.  Measured  against  the 
government's  handling  of  the  Kursk  incident  and  the  war  in  Chechnya,  the  idea  of  reliable 
government  information  is  questionable  at  best.  The  government  considers  the  "information  war" 
conducted  by  the  press  for  public  opinion  as  a  very  important  aspect  of  keeping  the  emotions  and 
loyalties  of  its  people  in  check  during  crises.  All  governments  do  this  to  a  certain  degree,  but  the 
Russian  government  appears  to  have  swung  the  pendulum  far  past  reason  in  these  two  cases.  The 
doctrine  states  near  its  conclusion  that  a  basic  function  of  the  system  of  information  security  of 


the  Russian  Federation  is  "the  determination  and  maintenance  of  a  balance  between  the  needs  of 
citizens,  society,  and  the  state  for  the  free  exchange  of  information,  and  the  necessary  restrictions 
on  the  dissemination  of  information." 

The  last  paragraph  of  the  document  states  that 

The  implementation  of  the  priority  measures  in  support  of  the 
information  security  of  the  Russian  Federation  enumerated  in  this 
doctrine  presupposes  the  drafting  of  the  corresponding  federal 
program.  Certain  provisions  of  this  doctrine  may  be  made  more 
specific  with  reference  to  particular  spheres  of  the  activity  of 
society  and  the  state  in  the  appropriate  documents  approved  by  the 
President  of  the  Russian  Federation. 

Over  the  next  few  years  more  attention  should  be  directed  to  these  more  recent  documents.  The 
first  meeting  to  start  the  process  was  the  23  October  conference  on  information  security. 

Anatoliy  Streltsov,  deputy  head  of  the  Information  Security  Department  (which  has  six 
members)  of  the  staff  of  the  Russian  Security  Council,  said  that  the  doctrine  might  promote  a 
dialogue  between  the  authorities  and  the  press.  The  conference  hoped  to  create  a  data  bank  for 
shaping  state  policy  in  the  sphere  of  the  mass  media  and  the  formation  of  the  most  effective  basis 
for  cooperation  between  the  press  services  of  ministries  and  agencies,  on  the  one  hand,  and  the 
mass  media  on  the  other. [101 

Chinese  Views  on  Information  Security 

The  issue  of  information  security  appeared  to  become  an  important  subject  in  China  in  early 
2000.  A  series  of  articles  on  the  subject  appeared  in  the  press  throughout  the  year.  Even  though 
not  directly  addressed  in  the  definition  above  of  information  security,  the  content  of  the  articles 
showed  that  Chinese  analysts  consider  the  information  security  aspect  of  the  mind  more  so  than 
does  the  U.S.  but  less  so  than  the  Russians.  For  example,  some  Chinese  analysts  feel  that  the 
U.S.  wants  to  use  the  Internet  to  shape  the  world’s  values  in  accord  with  those  of  the  U.S.  in 
order  to  maintain  political,  economic,  military,  and  information  benefits T 1 11 

It  was  also  of  interest  that  many  Chinese  information  security  articles  are  published  by  military 
journals.  The  military  cites  problems  due  to  a  neglect  of  safeguards,  backward  technology,  and  a 
lack  of  comprehensive  rules  and  regulations.  [121  The  first  Chinese  all-army  forum  held  in  late 
October  2000  set  forth  management  rules  and  accelerated  building  an  effective  protection  system 
for  information  security  technology.  There  are  now  more  than  1,000  computer  networks  of 
various  kinds  for  the  PLA  to  managed  131 

The  military  identified  the  “three  shifts”  required  to  ensure  the  security  of  network  information. 
These  shifts  are  from  maintaining  secrets  to  maintaining  secrets  and  building  firewalls,  from 
merely  emphasizing  conventional  security  work  to  emphasizing  the  security  of  infonnation,  and 
from  stressing  administrative  management  to  stressing  both  administrative  management  and 
prevention  technology.  Educators  are  trying  to  help  officers  renew  their  concept  of  security  and 
establish  building  a  “firewall”  in  everyone’s  head.  The  armed  forces  are  trying  to  train  a  group  of 


“network  guards”  with  high-tech  expertise.  This  process  has  been  accelerated  through  the 
establishment  of  an  all-army  center  for  information  security  examination,  appraisal,  and 
recognition.  T 141 

Chinese  information  theorists  believe  that  the  modem  fight  is  centered  on  the  “right  of 
controlling  information,”  making  information  security  one  of  the  “commanding  heights”  for 
winning  a  war.  “The  right  of  controlling  information”  is  synonymous  with  having  an  advantage 
in  warfare.  This  makes  the  information  confrontation  an  important  operational  component  of 
modem  war  with  information  security  and  confidentiality  the  main  battleground.  Obtaining  and 
counter-obtaining,  control  and  anti-control,  and  destroying  and  counter-destroying  will  become 
an  important  operational  mode  in  future  warfare,  as  will  developing  the  strategies  and  tactics  of 
information  security  work. 

PLA  deputies  to  the  National  People’s  Congress  called  for  legislation  on  information  security, 
and  pointed  out  a  few  hidden  dangers— technological  traps  and  weak  preventative  measures. 
Deputies  called  for  a  national  defense  information  security  law,  and  concentration  of  effort  to 
speed  up  the  development  of  information  security  technology  in  China.[151  On  23  October  2000, 
the  Chinese  State  council  recommended  that  the  18th  meeting  of  the  9th  National  People’s 
Congress  consider  a  final  daft  of  related  regulations  on  maintaining  network  and  information 
security.  It  appears  that  the  issue  is  receiving  top-level  consideration,  and  that  a  policy  may  be 
forthcoming  in  the  coming  year.  [161 

Shen  Changxiang  wrote  the  most  authoritative  article  available  to  this  author  on  the  subject  of 
information  security.  He  noted  that  the  main  threats  to  China’s  cyber- information  system 
included  (1)  its  being  tampered  with,  altered,  stolen  or  sabotaged  by  vimses,  or  by  hackers  taking 
advantage  of  the  Internet  to  intmde  into  the  system  to  collect  and  transmit  sensitive 
information  (2)  using  computers’  CPUs,  or  pre-installed  information  collection  and  sabotage 
programs  in  the  computer’s  operating  system,  data  managing  system,  and  application  system  (3) 
and  monitoring  and  intercepting  information,  using  the  Computer’s  electromagnetic  leaks  and  its 
peripheral  equipment.  Whoever  excels  in  preserving  information  security;  controls  information 
and  wins  the  information  war  in  future  conflicts.  In  IW,  the  difference  between  a  developed 
country  and  an  undeveloped  country  will  be  far  smaller  than  if  it  were  a  conventional  war.  This 
requires  that  China  draw  up  an  information  security  strategy  and  information  defense 
system.  T 171 

In  the  civilian  sector,  information  security  is  as  important  a  topic  as  it  is  in  the  military  sector.  In 
June  of  2001  the  weekly  general  affairs  journal  of  China’s  official  news  agency  Xinhua, 
Liaowang,  stated  that  information  security  issues  are  now  of  the  utmost  importance.  For 
example,  the  Internet  is  linked  to  vital  national  infrastructures  as  well  as  to  the  education,  health, 
and  minds  of  citizens.  This  makes  the  control  of  the  Internet’s  information  security  aspect  twice 
as  important  as  it  was  in  the  past.  In  addition,  it  is  estimated  that  over  33%  of  the  U.S.  economic 
growth  is  from  the  information  industry.  The  U.S.  has  control  over  the  Internet  and  online 
resources.  Liaowang  estimated  that  America  has  70%  of  the  world’s  web  sites,  94  of  the  top  100 
most  visited  web  sites,  accounts  for  nearly  one  half  of  the  world’s  total  number  of  cybercitizens, 
and  conducts  nearly  90%  of  the  world’s  Internet  business.  It  also  controls  80%  of  the  world’s 


computer  systems  and  software  markets.  The  Internet  has  also  produced  new  information 
security  issues  such  as  simply  controlling  the  amount  of  information  available.  \  181 

The  most  visible  expression  of  a  Chinese  information  security  “plan”  was  offered  in  the  June 
2000  issue  of  the  Internet  website  Guojia  Gao  Jishu  Yanjiu  Fazhan  Jihua  (HTRDP)  863.  This 
website  is  sponsored  by  the  China  Office  for  the  High  Technology  Research  and  Development 
Plan,  an  institution  under  the  State  commission  for  Science  and  Technology.  The  web  site 
offered  a  guide  to  help  China  focus  on  making  technical  breakthroughs  regarding  typical 
information  security  issues  and  tasks  in  politics,  the  economy,  and  culture.  The  guide  is  based  on 
decisions  from  the  “Emergency  Information  Security  Technology  Plan”  formulated  by  a 
specialist  group  researching  information  security  strategy  for  National  Plan  863.  The  goals  of 
the  plan  are:  effectively  alleviate  information  security  issues  for  party  and  government  network 
systems  and  financial  network  systems;  effectively  control  the  wanton  propagation  of  illegal  and 
deleterious  information  in  mutually  connected  networks;  and  raise  China’s  information  security 
technology  to  a  new  level.  [191 

There  are  several  information  security  issues  affecting  China.  First,  China  must  correct  flaws  in 
its  information  security  management  system.  There  is  no  clear  division  of  labor  on  information 
security  management  among  various  functional  departments,  and  it  is  difficult  to  adapt  the 
present  management  model  to  a  networked  era.  Second,  there  is  an  inadequate  legal  system  in 
place  to  handle  information  security  issues.  Critical  laws  designed  to  protect  the  information 
infrastructure  have  not  been  formulated,  and  the  construction  of  a  legal  system  lags  far  behind 
what  is  required.  Third,  more  research  is  required  in  the  area  of  core  information  security 
technologies  and  products.  China  is  limited  by  its  microelectronics  industry,  which  is  of  a  lower 
quality  and  standard.  Many  cryptographic,  digital  signature,  identity  authentication,  firewall  and 
monitoring  system  requirements  are  not  fulfilled  as  a  result.  Finally,  there  are  many  hidden 
information  security  dangers  associated  with  China’s  financial  system.  The  use  of  lower- grade 
PCs  and  the  lack  of  information  security  methods  in  supervisory  management  still  make  people 
nervous.  f20] 

Qiushi  magazine  warned  that  China  must  develop  an  information  security  system  that  is  strong 
and  adaptable,  independent  of  foreign  control,  and  must  combat  superstition,  rumors,  slander, 
pornography  and  hackers  that  corrupt  people’s  minds  and  threaten  national  security.  Of 
particular  concern  is  the  Internet  as  a  subversive  tool.  The  U.S.’s  over  reliance  on  technology 
causes  it  to  forget  that  the  last  line  of  defense  in  information  security  remains  people.  China  must 
also  enhance  the  use  of  positive  propaganda  on  the  Net,  and  strive  to  run  a  number  of  web  sites 
that  attract  people.  China  must  also  build  up  its  information  security  infrastructure  including 
network  control  centers,  appraisal  and  certification  centers,  and  virus  prevention  centers.  This 
will  help  accelerate  the  promotion  of  China’s  information  security  sector.  [2 11 

State  Council  member  Shen  Weiguang,  reportedly  China’s  first  information  warfare  analyst, 
wrote  that  China  needed  a  national  information  security  commission  to  strengthen  centralized 
leadership  over  information  warfare  research.  Such  a  commission  should  assume  total 
responsibility  for  China’s  information  security  and  provide  an  information  security  and 
information  warfare  studies  institute  at  the  highest  level.  Soldiers  no  longer  have  a  patent  on  war. 
There  now  are  information  invasion,  infonnation  firepower  surveillance,  information  deterrence, 


and  information  pollution  problems  to  contend  with  in  information  space.  China  must  establish 
information  security  standards  and  rules  of  conduct,  and  issue  information  security  assessments 
and  inspection  standards  according  to  Shen.[22] 

Conclusions 

The  purpose  of  this  article  was  to  examine  the  U.S.,  Russian,  and  Chinese  understanding  of 
information  security.  The  examination  shows  that  in  both  definitions  and  in  discussion,  Russia 
and  China  differ  markedly  in  their  idea  of  information  security  than  does  the  U.S..  Russia  and 
China  are  worried  about  ways  to  influence  the  mind  and  emotions  of  its  citizens.  The  U.S.,  on 
the  other  hand,  treats  the  mind  as  a  separate  issue  governed  by  different  terms:  human  rights, 
perception  management,  and  so  on. 

The  U.S.  does  not  use  the  same  lexicon  in  its  documents  (seldom  if  ever  using  “information 
security”  in  conjunction  with  the  logic  of  its  citizens),  and  has  been  affected  by  a  different 
situational  context. 

Governed  by  such  different  paradigms,  it  is  easy  to  fathom  how  discussion  and  understanding  of 
the  term  “information  security”  in  the  U.N.  could  prove  to  be  very  difficult.  However,  with  just 
minor  compromises,  common  ground  can  be  found.  It  is  important  to  do  so  now.  A  decade  ago, 
cloning  and  stem-cell  research  were  futuristic  problems  for  scientists  but  today  they  are  problems 
scientists  must  leam  to  control.  The  speed  of  development  of  information  technology  implies  that 
a  futuristic  concept  such  as  the  electronic  manipulation  of  the  mind  may  be  closer  than  we  want 
to  believe.  If  that  happens,  the  idea  of  infonnation  security  will  take  on  a  whole  new  dimension. 

It  is  wise  to  prepare  now  for  the  future  and  develop  some  universal  procedures  for  scientists  to 
consider. 
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